AWS-DSSE-KMS — Dual side encryption on S3

AWS S3 support dual side encryption key with KMS.Utilizing dual-layer server-side encryption with AWS KMS keys involves applying two layers of encryption to objects during their upload to Amazon S3. Its helps compliance with standards that require multilayer encryption for data.

How to enable DSSE-KMS key on AWS Console.

1. Sign into AWS console and open S3 bucket properties tab.

2. Select Default encryption section and choose to edit.

3. Under encryption type select Dual-Layer server-side encryption with AWS Key Management Service Keys (DSSE-KMS).

4. Under AWS KMS Key we can select Choose from your AWS KMS Keys or AWS KMS Keys in the list.

How to enable DSSE-KMS key on AWS CLI

Below AWS CLI command to upload new object into AWS S3 with enable dsse key.

aws s3api put-object — bucket s3-bucket-name — key object-name — server-side-encryption aws:kms:dsse — ssekms-key-id kms_key-id — body filepath

— ssekms-key-id -> specify customer managed aws kms key or it will use aws managed kms key (aws/s3).

How to restrict all objects uploaded into s3 should be encrypted by DSSE-KMSAdd below s3 bucket policy.

-> S3 bucket key won’t support for DSSE-KMS.